search

FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
102 stars 90 forks source link

IPv6 compatibility in radius server list "/etc/pam_radius_auth.conf" #49

Closed mhatelus closed 2 years ago

mhatelus commented 2 years ago

Hi,

I'm trying to configure IPv6 radius servers in the pam_radius_auth.conf file and am having issues. I was previously using IPv4 servers and it was working well. I followed the comment guidelines in the conf file to add in the new IPv6 servers, but when I go to test radius authentication using ssh, it fails.

When reviewing the log file "/var/log/auth.log", I see that the pam_radius_auth process fails to process the IPv6 address and does a check on "[2001", instead of the full IPv6 address I added: _Oct 15 20:36:27 SERVER sshd[3761091]: pam_radius_auth: Failed looking up IP address for RADIUS server [2001 (errcode=9) Oct 15 20:36:27 SERVER sshd[3761091]: pam_radius_auth: Failed looking up IP address for RADIUS server [2001 (errcode=9) Oct 15 20:36:27 SERVER sshd[3761091]: pam_radiusauth: All RADIUS servers failed to respond.

Configuration used in "pam_radiusauth.conf" (tried using no brackets and no specific port, but issue is the same): [2001:100:100:100::1]:1812 secret 5 [2001:100:100:101::2]:1812 secret 5_

I also updated the "libpam-radius-auth" library to latest version 1.4.0-3, but does not help with the issue: user:~$ sudo apt upgrade libpam-radius-auth Reading package lists... Done Building dependency tree
Reading state information... Done libpam-radius-auth is already the newest version (1.4.0-3). Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Is IPv6 compatible for the radius server list? Wanted to check if this is a known issue or if there is something else that is wrong.

Thanks,

alancarwile commented 2 years ago

It looks like you have some special characters in the data. Try a command like this to see if characters are what you think they are:

$ hexdump -C
[2001:0db8:85a3::4]:1812    other6-secret      3            [2001:0db8:85a3::3]  vrf-red
00000000  5b 32 30 30 31 3a 30 64  62 38 3a 38 35 61 33 3a  |[2001:0db8:85a3:|
00000010  3a 34 5d 3a 31 38 31 32  20 20 20 20 6f 74 68 65  |:4]:1812    othe|
00000020  72 36 2d 73 65 63 72 65  74 20 20 20 20 20 20 33  |r6-secret      3|
00000030  20 20 20 20 20 20 20 20  20 20 20 20 5b 32 30 30  |            [200|
00000040  31 3a 30 64 62 38 3a 38  35 61 33 3a 3a 33 5d 20  |1:0db8:85a3::3] |
mhatelus commented 2 years ago

Confirmed that the characters are correct in the pam conf file.

 hexdump -C
[2001:100:100:100::1]:1812 secret 5
00000000  5b 32 30 30 31 3a 31 30  30 3a 31 30 30 3a 31 30  |[2001:100:100:10|
00000010  30 3a 3a 31 5d 3a 31 38  31 32 20 73 65 63 72 65  |0::1]:1812 secre|
alandekok commented 2 years ago

Which version are you using? Because the most recent one handles IPv6.

mhatelus commented 2 years ago

I'm running the most recent version of libpam-radius-auth via 1.4.0-3:

user:~$ sudo apt upgrade libpam-radius-auth Reading package lists... Done Building dependency tree Reading state information... Done libpam-radius-auth is already the newest version (1.4.0-3). Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

jpereira commented 2 years ago

@mhatelus So, using the latest code we have the below test against the Ubuntu 21.04

  1. Content of /etc/pam.d/sshd
# grep -vE "^(#|$)" /etc/pam.d/sshd
auth    sufficient      pam_radius_auth.so debug conf=/etc/pam_radius_auth.conf
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password
#
  1. Content of /etc/sshd/sshd_config
# grep -vE "^(#|$)" /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
#
  1. Used /etc/pam_radius_auth.conf
# grep -vE "^(#|$)" /etc/pam_radius_auth.conf
[fd00::242:ac11:2]      testing123                      3
#

ie.: Did the same tests adding the port like: [fd00::242:ac11:2]:1812

  1. Testing the ssh authentication using ssh -l ubuntu ::1

  2. We'll see the below logs from pam_radius_auth

# tail -f /var/log/auth.log
Oct 26 14:51:49 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: Got user name ubuntu
Oct 26 14:51:49 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: ignore last_pass, force_prompt set
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: Sending RADIUS request code 1
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: DEBUG: get_ipaddr(fd00::242:ac11:2) returned 0.
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: Got RADIUS response code 2
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7322]: pam_radius_auth: authentication succeeded
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7320]: Accepted keyboard-interactive/pam for ubuntu from fd00::242:ac11:2 port 42748 ssh2
Oct 26 14:51:51 devbox-ubuntu_2104 sshd[7320]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)

Therefore, probably you have something different in your setup, or that mentioned version is broken. Please, try the latest code.

e.g:

# git clone https://github.com/FreeRADIUS/pam_radius
# cd pam_radius
# make
# install -m 0644 pam_radius_auth.so /lib/security

And follow the previous steps and let us know if you might still facing issues.

mhatelus commented 2 years ago

@jpereira

Hi jpereira,

The steps you recommended fixed the issue for me. My question is, how do I verify if the version was broken? Before opening the ticket here, I validated the version of the library via dpkg command, see below. Is there another command I should be using to confirm the version of the pam_radius_auth.so file?

t927922@server:~/pam_radius$ dpkg -l | grep pam ii libpam-cap:amd64 1:2.32-1 amd64 POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM - helper binaries ii libpam-radius-auth 1.4.0-3 amd64 PAM RADIUS authentication module ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64 245.4-4ubuntu3.13 amd64 system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules library ii libpam0g-dev:amd64 1.3.1-5ubuntu4.3 amd64 Development files for PAM

mhatelus commented 2 years ago

@jpereira

Also, thank you for solving this case. Along with the others who have commented in the thread so far, I appreciate your help in looking at this issue.

jpereira commented 2 years ago

No worries. we are doing some improvements that are coming up soon. about your problem, you need to remove the dpkg -P libpam-radius-auth and install the modules following the mentioned steps:

# git clone https://github.com/FreeRADIUS/pam_radius
# cd pam_radius
# make
# install -m 0644 pam_radius_auth.so /lib/security

i.e: We did several improvements against the master branch.

mhatelus commented 2 years ago

fyi, if anybody is running into this issue in the future, I also had to run the following commands on a new linux box:

git clone https://github.com/FreeRADIUS/pam_radius _cd pam_radius sudo apt-get install build-essential ./configure make sudo install -m 0644 pam_radiusauth.so /lib/security

jpereira commented 2 years ago

for sure @mhatelus , therefore we could consider this ticket as done and close it.

krm3 commented 2 years ago

fyi, if anybody is running into this issue in the future, I also had to run the following commands on a new linux box:

git clone https://github.com/FreeRADIUS/pam_radius _cd pam_radius sudo apt-get install build-essential ./configure make sudo install -m 0644 pam_radiusauth.so /lib/security

I just want to clarify for future people who will read this thread as I find it a bit confusing.

IPv6 support is included in pam_radius since version 2: https://github.com/FreeRADIUS/pam_radius/blob/release_2_0_0/Changelog

You apparently use a version of Debian or Ubuntu which has version 1.4 so it's no suprise that it's not working. That's why you have to compile recent version 2 from source.

If you use a recent Debian or Ubuntu version as 11 (Bullseye) or 21.04 (Hirsute Hippo) respectively libpam-radius-auth version 2 is included and it works. Ubuntu 22.04 LTS will also contain it for sure. No need to compile it from source in this case.

Recent in Debian or Ubuntu never means recent upstream version. This should be quite basic Linux sysadmin knowlegde.